Running Gradle Tooling API in sandbox with SecurityManager


(Pierre) #1

Hello,

I’d like to create a service which let user try Gradle through a web application. The target audience are my colleagues in my company.
The general use case would be that an user submits a build file, it is stored in a temporary directory and the server performs a Gradle build through the tooling API.

When running the server without a security manager, everything works fine.

When setting a security manager - I use Tomcat 8 with the -security flag at the moment - I have to define permissions for Gradle jars:
grant codeBase "file:${gradle.installation.dir}/-" { permission java.security.AllPermission; };

Now I try to restrict permissions to avoid people submitting code that could harm the service. So far I found that Gradle require at least these permissions to start:
grant codeBase "file:${gradle.installation.dir}/-" { permission java.lang.RuntimePermission "createSecurityManager"; permission java.lang.reflect.ReflectPermission "suppressAccessChecks"; permission java.io.FilePermission "${catalina.base}/webapps/ROOT/WEB-INF/-", "read"; permission java.util.PropertyPermission "slf4j.detectLoggerNameMismatch", "read"; };

At this point, I face an issue that I cannot solve:
Could not create an instance of Tooling API implementation using the specified Gradle installation
[…]
Caused by: java.lang.NullPointerException: null
at org.gradle.util.GradleVersion.(GradleVersion.java:57)

Apparently Gradle cannot load the org/gradle/build-receipt.properties text file bundled in the gradle-core jar.

I wanted to patch GradleVersion.java to add the following lines:
URL resource = GradleVersion.class.getResource(RESOURCE_NAME); if (resource == null) { // Resource not found, try to load through the context class loader bound to the current thread resource = Thread.currentThread().getContextClassLoader().getResource(RESOURCE_NAME); }

But being behind a proxy, when I run ./gradlew build, all integration tests requiring access to jcenter fail.

I have a $GRADLE_USER_HOME/gradle.properties setting http(s) proxy.
I tried to modify the gradlew script to add the -Dhttp.proxyHost/Port variables.
I thought that the gradle wrapper could be the issue, so I tried with my local gradle installation, but running gradle build fails very early (within buildSrc).

Few questions for people browsing the forum:
1. Have you ever tried to run the Gradle Tooling API with a Security Manager?
2. If so, do you have a pointer on some documentation listing required permissions please?
3. Do you have a trick to build gradle behind a proxy?

Thank you.


(Pierre) #2

I somewhat managed to build Gradle (from the REL_2.14.1 tag) by disabling integTest (not proud of me).
The patch works.

But, unfortunately, Gradle Tooling API requires so many permissions to start Gradle that it is almost the same as using java.security.AllPermission.

Therefore, I think I’ll go with a ProcessBuilder + su [limited_user] -c gradle […]…


(Stefan Oehme) #3

Or let the builds run in an isolated container where they can’t cause any harm.


(Pierre) #4

Thank you Stefan for the advice. I do think this is the best solution, provided that you have access to containerization.
Good luck for next releases.